[Cscwg-public] Final CSCWG F2F Meeting Minutes

Thu Jun 30 16:17:09 UTC 2022

FINAL, APPROVED MINUTES of F2F:

CSCWG Meeting 

Leader: Bruce Morton (Entrust) Minutes: Dean Coclin Bruce read the
anti-trust statement. Attendance: In the room: Leo Grove (SSL.com), Josef
Nigut (Disig), Atsushi Inaba (Globalsign), Mike Agrenius Kushner
(Keyfactor-Guest), Heinrik (Keyfactor - Guest), Clemens Wanko (ACAB-c),
Aneta Wojcak (Microsoft), Martin Karterbarg (Sectigo), Corey Bonnell
(DigiCert), Ben Wilson (Mozilla), Dean Coclin (DigiCert), Inigo Barreira
(Sectigo), Dimitris Zacharopoulos (Harica), Tomasz Litarowicz (Certum), Paul
vanBrowershaven (Entrust). Alexksandra Kurosz (Certum), Paulina Karwowska
(Certum), Ewelina Chudy (Certum), Anna Sikorska (Certum), Aleksandra Iinicka
(Certum). On the line: TIm Hollobeek (DigiCert), Wayne Thayer (Fastly),
Aaron Paulson (Amazon), Adam Jones (Microsoft), Andrea Holland
(SecureTrust), Bruce Wei (TrustAsia), Chris Kemmerer (SSL.com), Don Sheehy
(WebTrust), Doug Beattie (Globalsign), Ian McMillan (Microsoft), Eva
VanSteenberge (Globalsign), Hazhar Ismail (MSC Trustgate), Jeff Ward
(WebTrust), Joanna Fox (Trustcor), Kharil Nizam (MSC Trustgate), Li-Chun
Chen (Chungwa Telecom), Lynn Jeun (Visa), Marcelo Silva (Visa), Michael
Sykes (SSL.com), Nargis Mannan (SecureTrust), Niko Carpenter (SecureTrust),
Rollin Yiu (TrustAsia), Tadahiko Ito (Secom), Thomas Zermeno (SSL.com),
Trevoli Ponds-White (Amazon), Tsung Min-Kuo (Chungwa Telecom), Tyler Myers
(GoDaddy), Vijay Kumar (e-Muhdra), Wojciech Trapczynski (Certum), Yoshiro
Yoneya (JPRS), Zurina Zolkaffly (MSC Trustgate). 

The attached presentation was used as a guide for the meeting. Bruce opened
by discussing the elections in the fall. Dean said elections will be opened
60 days prior to the expiration date, per the bylaws. Please start thinking
of running if you are interested. 

The first topic was the Signing Service Requirements (see slide 7). Bruce
reviewed each bullet point. Tim said that one of the purposes of the signing
service was to prevent fraud and we should add something about how the
subscriber authenticates to the signing service. 

Bruce then ran through the marked up version of the document to highlight
the changes with regard to the signing services. (the marked up document,
including notes and comments from the meeting, is included as part of the
minutes). Dimitris suggested that having to authenticate for every signing
in the same session would be problematic. Ian agreed and a discussion was
had of some sort of token for a limited time, as a suggestion. This needs to
be worked out. A discussion about changing key requirements from 140-2 to
140-3 took place and is reflected in that section of the document. A
discussion about audits took place and section 8.4.1 was modified
accordingly. 

The next topic was around rules for cloud based key generation for a signing
service (slide 8 in the deck). Inigo asked if they cloud provider needs to
provide information for the audit (i.e. proof of keys in HSMs). How does one
determine if it is in the cloud? Auditors would have difficulty accessing
the cloud location. Tim asked how does one know that the HSM is handled
securely? Ian said from what he has seen, the cloud providers provide a lot
of certification proof as part of their services. But how do they prove they
are a certified cloud provider? Dimitris said there are some ISO standards
for data centers and cloud providers to cover that. Those could be added to
the CSBRs. Tim said we should look at the cloud HSM providers and see what
specs they follow. Inigo said that ENISA has some sort of cloud security
specification which is more strict but not specific for PKI. Don said that
cloud does bring up an issue of auditability and controls. A short
discussion of audits for clouds took place. 

What if the signing service stored the keys in the cloud but had the HSM
onsite? Various opinions on how this work were discussed. Clemens said
depending on the device certification, this would be covered. 

The next topic was on high risk applicants. Nothing needs to be done before
Nov 15th. 

Timestamp updates: Slide 10 was discussed. Ian to follow up with Karina on
the proposed update. A discussion about destroying the old key once the new
key is in production took place. All agreed that was a good idea. Validity
periods were discussed. Appears to be some benefit to Java of having 135
month validity. Bruce suggested a max of 54 months. Regarding the TS server
Dimitris said it should be offline. All agreed. Bruce asked if the TS server
should have its own CPS (i.e. TPS). There may be items that need to be
disclosed. Tim didn't think there was value there. 

Meeting minutes of the prior meeting (May 19th) were approved. 

Revocation: Martijn presented some redlines to the revocation section
13.1.5.3 to make it less complicated. Bruce said he would be willing to
support updating this section. Ian agreed that the definitions could use
some cleanup. There was a discussion about obtaining telemetry data from
Microsoft to help with this section. 

Dimitris asked what the next steps were for future ballots. Martijn
suggested we should have a cleanup ballot. Corey concurred and said we
should wait until IPR clears for current ballot. After the cleanup ballot,
then we can look at a signing service proposal. 

The meeting for next Thursday (16th) will be canceled so the next meeting
will be the 30th. 

Dean Coclin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220630/3c83ff17/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: F2F 56 - CSWG 202206 v1.pptx
Type: application/vnd.openxmlformats-officedocument.presentationml.presentation
Size: 81026 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220630/3c83ff17/attachment-0001.pptx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220630/3c83ff17/attachment-0001.p7s>